Cannot implicitly convert type 'string' to 'System.Data.CommandType'

Question

I was looking at a web tutorial and the instructor was speaking in language I do not understand and the video was not showing complete length. Can anyone advise me how the line should look like...

 private void Insertbtn_Click(object sender, EventArgs e)
 {
   OleDbCommand cmd = new OleDbCommand(); // this is good
   cmd.CommandType = CommandType.Text;    // this is good
   cmd.CommandType = "INSERT INTO Students(StudentID, StudentName, StudentCNCI, 
   StudentDOB) Values('" + StudIDTxt.Text + "','" + StudNameTxt.Text + "','" + 
   StudCNCITxt.Text + "','" + StudDOBTxt.Text +")"; *// Need help here pls*
   cmd.Connection=myCon;   
   myCon.Open();
   cmd.ExecuteNonQuery();
   myCon.Close();
 }

I am developing in VS 2010 C#. Using Access.

Answer 1

You should use always parameterized queries. Your code is open for an SQL Injection attacs.

In your query, you should use CommandText property, not CommandType

cmd.CommandText = "INSERT INTO Students(StudentID, StudentName, StudentCNCI, 
   StudentDOB) Values(@StudIDTxt, @StudNameTxt, @StudCNCITxt, @StudDOBTxt)";

cmd.Parameters.AddWithValue("@StudIDTxt", StudIDTxt.Text);
cmd.Parameters.AddWithValue("@StudNameTxt", StudNameTxt.Text);
cmd.Parameters.AddWithValue("@StudCNCITxt", StudCNCITxt.Text);
cmd.Parameters.AddWithValue("@StudDOBTxtl", StudDOBTxt.Text);

Answer 2

Your:

cmd.CommandType = "INSERT INTO Students(StudentID, StudentName, StudentCNCI, 
   StudentDOB) Values('" + StudIDTxt.Text + "','" + StudNameTxt.Text + "','" + 
   StudCNCITxt.Text + "','" + StudDOBTxt.Text +")";

should be

cmd.CommandText = "INSERT INTO Students(StudentID, StudentName, StudentCNCI, 
   StudentDOB) Values('" + StudIDTxt.Text + "','" + StudNameTxt.Text + "','" + 
   StudCNCITxt.Text + "','" + StudDOBTxt.Text +"')";

You made a typo.

Also, single quote was missing - (StudDOBTxt.Text +")") should have been StudDOBTxt.Text +"')" - that would cause syntax error on the SQL server side.

As for parametrized form of your query (form that is safe from SQL injection attack), it would have to use question marks instead of named parameters (that's how it works in ODBC when command type is text), it would be something like this:

   cmd.CommandText = @"INSERT INTO Students(StudentID, StudentName, StudentCNCI, StudentDOB) 
                        Values(?,?,?,?)";
   cmd.Parameters.Add(new OleDbParameter("p1", StudIDTxt.Text));
   cmd.Parameters.Add(new OleDbParameter("p2", StudNameTxt.Text));
   cmd.Parameters.Add(new OleDbParameter("p3", StudCNCITxt.Text));
   cmd.Parameters.Add(new OleDbParameter("p4", StudDOBTxt.Text));

Answer 3

private void Insertbtn_Click(object sender, EventArgs e)
 {
    OleDbCommand cmd = new OleDbCommand(); // this is good
    cmd.CommandType = CommandType.Text;    // this is good
    cmd.CommandText = "INSERT INTO Students(StudentID, StudentName, StudentCNCI, 
    StudentDOB) Values('" + StudIDTxt.Text + "','" + StudNameTxt.Text + "','" + 
    StudCNCITxt.Text + "','" + StudDOBTxt.Text +")"; *// Need help here pls*
    cmd.Connection=myCon;   
    myCon.Open();
    cmd.ExecuteNonQuery();
    myCon.Close();
  }

It should be Command Text not Command type